Description
Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk: from n/a through <= 3.0.3.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via IDOR
Action: Update Plugin
AI Analysis

Impact

The JoomSky JS Help Desk WordPress plugin contains an Authorization Bypass through User‑Controlled Key flaw, which permits an attacker to reference tickets belonging to other users by manipulating a key value. This insecure direct object reference undermines confidentiality and integrity, as unauthorized users may view or modify tickets that do not belong to them. The weakness is classified as CWE‑639.

Affected Systems

Affected systems include installations of the JS Help Desk WordPress plugin from any version up to and including 3.0.3. The issue is present in all releases before that version, with the exact edition unspecified beyond the upper bound. No later versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, and the EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is remote, over the web, by sending crafted HTTP requests that supply a manipulated key to the plugin’s endpoints. Exploitation would require either authenticated access or the ability to guess valid key values.

Generated by OpenCVE AI on March 26, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to JS Help Desk version 3.0.4 or later to remove the IDOR flaw.
  • If upgrade is not possible immediately, restrict access to the plugin’s administrative pages using web server rules or firewall settings to limit exposure to authorized users only.
  • Monitor incoming requests for anomalous ticket key values to detect potential abuse.

Generated by OpenCVE AI on March 26, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomsky
Joomsky js Help Desk
Wordpress
Wordpress wordpress
Vendors & Products Joomsky
Joomsky js Help Desk
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk: from n/a through <= 3.0.3.
Title WordPress JS Help Desk plugin <= 3.0.3 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

Joomsky Js Help Desk
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T13:36:09.955Z

Reserved: 2026-03-12T11:12:24.777Z

Link: CVE-2026-32535

cve-icon Vulnrichment

Updated: 2026-03-26T13:17:01.528Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:07.160

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32535

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:38Z

Weaknesses